Debian: New icedove packages fix several vulnerabilities

Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. Among other identified problems, the execution of arbitrary code might be possible via a crafted PNG file that triggers a free of an uninitialized pointer. It is possible to execute arbitrary code via vectors related to the layout and JavaScript engines. Bjoern Hoehrmann and Moxie Marlinspike discovered a possible spoofing attack via Unicode box drawing characters in internationalized domain names. Memory corruption and assertion failures have been discovered in the layout engine, leading to the possible execution of arbitrary code. Georgi Guninski discovered that it is possible to obtain xml data via an issue related to the nsIRDFService. The browser engine is prone to a possible memory corruption via several vectors. Gregory Fleischer discovered that it is possible to bypass the Same Origin Policy when opening a Flash file via the view-source: scheme. Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. Updated packages are available from security.debian.org.